Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2011-02-09
Journal reports contain important message content and metadata. Understanding the structure of journal reports allows you to interpret the information in these reports.
Looking for management tasks related to managing journaling? See Managing Journaling.
Contents
Journal Reports
A journal report is the message generated by the Journaling agent on a Hub Transport server and delivered to the journaling mailbox. The original message is included unaltered as an attachment to the journal report. This type of journal report is called an envelope journal report.
Note: |
---|
Microsoft Exchange Server 2010 supports envelope journaling only. |
When using standard journaling, journal reports are generated for all messages sent or received by mailboxes on a mailbox database enabled for journaling. When using premium journaling, journal reports are generated for messages that match a journal rule.
For more information about journaling, see Understanding Journaling.
The information contained in a journal report is organized so that every value in each header field has its own line. This enables you to easily parse journal reports manually or by using an automated process, depending on your requirements.
When the Journaling agent journals a message, it tries to capture as much detail as possible about the original message. This information is very important in determining the intent of the message, its recipients, and its senders. For example, whether the recipients that are identified in the message are directly addressed in the To field, the Cc field or are included as part of a distribution list may determine the nature and extent of their involvement in the e-mail communication.
Depending on the situation, Exchange 2010 may generate more than one journal report for a single message. Whether a single message generates one journal report or multiple journal reports depends on several factors, such as message bifurcation or distribution group expansion.
Journal reports can potentially contain very sensitive information and must be protected so that they can't be viewed by unauthorized individuals. For more information about how you can protect journal reports, see Protecting Journal Reports.
For more information about managing journal reports, see Understanding How to Manage Journal Reports.
Journal Report Fields
The following sections describe each field contained within journal reports generated by Exchange 2010. These fields are separated into basic and extended fields, as shown in the following table.
Basic and extended journal report fields
Basic journal report fields | Extended journal report fields |
---|---|
Sender |
To |
Subject |
Cc |
Message-ID |
Bcc |
Recipient |
On-Behalf-Of |
Whether extended journal report fields are populated depends on whether recipient addressing can be determined. This happens in the following circumstances:
- MAPI submission to a Client Access
server Recipient addressing can be determined
when a message is submitted to a Client Access server using a MAPI
client such as Microsoft Outlook 2010.
- Authenticated SMTP submission to a Hub Transport
server Recipient addressing can also be
determined when a message is submitted to a Hub Transport server in
an authenticated SMTP session. The authenticated sender must not
have the
ms-Exch-Smtp-Accept-Any-Sender
permission because this generally indicates that the sender was an Exchange server.
If recipient addressing can be determined for a particular recipient, the recipient e-mail address is inserted into the appropriate extended To, Cc, or Bcc fields described in the "Extended journal report fields" table later in this topic. The recipient e-mail address isn't inserted into the basic Recipient field described in the "Basic journal report fields" table later in this topic.
If a message is submitted to a Hub Transport server by using any other method, such as anonymous submission from an Edge Transport server or submission from a server running Exchange Server 2003, Exchange can't verify that the recipient addressing hasn't been tampered with. If recipient addressing can't be verified, the recipient e-mail address is inserted in the basic Recipient field and not into an extended To, Cc, or Bcc field.
For each recipient addressed on a message, one recipient journal report field is added. No recipient field contains more than one recipient e-mail address, except as follows:
- Recipient fields that contain recipients that have been
expanded from a distribution group
- Recipient fields that contain recipients that have received a
message forwarded from another mailbox
For expanded or forwarded messages, the e-mail address of the recipient that received final delivery of the message and the e-mail address of the distribution group or mailbox that was originally addressed are included.
Basic Journal Report Fields
Basic fields in Exchange 2010 journal reports include the sender, subject, and Message-ID of the original message. All journal reports include this information if it's present in the original message.
The fourth basic field is the Recipient field. Exchange 2010 only classifies information that it knows is correct. If Exchange can't determine whether a recipient was included in the To, Cc, or Bcc recipient fields, the recipient is added to the Recipient field in the journal report.
The following table lists the basic fields that are included in the body of journal reports.
Basic journal report fields
Field name | Description |
---|---|
Sender |
The Sender field displays the SMTP address of the sender specified in the From header. If the message is sent on behalf of another sender, the field displays the address specified in the Sender header. |
Subject |
The Subject field displays the subject header value. |
Message-ID |
The Message-ID field displays the SMTP Message-ID. |
Recipient |
The Recipient field displays the SMTP address of a recipient included in an e-mail message when Exchange can't determine the recipient addressing of that message. This includes messages from the Internet or unauthenticated senders and messages that originated from legacy Exchange servers. Recipients added by transport rules or other transport agents are also listed in the Recipient field. |
Extended Journal Report Fields
Extended fields in Exchange 2010 journal reports provide more recipient details, if available. The To, Cc, and Bcc fields in the journal report let you view how recipients are addressed in the original message.
The On-Behalf-Of field is populated if the SMTP headers of a message contain both the From and Sender header fields, regardless of whether the message was submitted directly to a Hub Transport server. The SMTP address contained in the From header field is populated in the On-Behalf-Of field.
The following table lists the extended fields that may be included in the body of journal reports.
Extended journal report fields
Field name | Description |
---|---|
On-Behalf-Of |
The On-Behalf-Of field displays the SMTP address of the mailbox from which the message appears if the Send On Behalf Of feature is specified by the sender. |
To |
The To field displays the SMTP address of a recipient included in the message envelope and in the To header field of the message. The recipient address can be included either directly by the sender, or indirectly through distribution list expansion or if the message was forwarded to the recipient by another mailbox. To indicate whether the message went through distribution list expansion or was forwarded, the To field may also contain one Expanded field or one Forwarded field, separated with commas. For more information about these fields, see the "Expanded and Forwarded fields" table later in this topic. |
Cc |
The Cc field displays the SMTP address of a recipient included in the message envelope and in the Cc header field of the message. The recipient address can be included either directly by the sender, or indirectly through distribution list expansion or if the message was forwarded to the recipient by another mailbox. To indicate whether the message went through distribution list expansion or was forwarded, the Cc field may also contain one Expanded field or one Forwarded field, separated with commas. For more information about these fields, see the "Expanded and Forwarded fields" table later in this topic. |
Bcc |
The Bcc field displays the SMTP address of a recipient included in the message envelope and in the Bcc header field of the message. The recipient address can be included either directly by the sender, or indirectly through distribution list expansion or if the message was forwarded to the recipient by another mailbox. To indicate whether the message went through distribution list expansion or was forwarded, the Bcc field may also contain one Expanded field or one Forwarded field, separated with commas. For more information about these fields, see the "Expanded and Forwarded fields" table later in this topic. |
Expanded and Forwarded Fields
The Expanded and Forwarded fields are included as fields on Recipient, To, Cc, or Bcc fields when that recipient has either been expanded from a distribution group or has had the message forwarded from another mailbox. The following table describes the Expanded and Forwarded fields.
Expanded and Forwarded fields
Field | Description |
---|---|
Expanded |
The Expanded field is displayed as a field of the To, Cc, and Bcc fields that are described earlier in this topic. The Expanded field is preceded by a comma. The SMTP address displayed in the Expanded field is the address of the distribution group that contains either the recipient specified in the To, Cc, or Bcc field or the nested distribution lists that contain the specified recipient. The address displayed in this field is always the first distribution list to be expanded, regardless of how many nested distribution lists may be between the original parent distribution list and the expanded final recipient specified in the To, Cc, or Bcc field. |
Forwarded |
The Forwarded field is displayed as a field of the To, Cc, and Bcc fields that are described earlier in this topic. The Forwarded field is preceded by a comma. Usually, the Forwarded field displays the e-mail address of a mailbox configured to forward e-mail messages to the account specified in the To, Cc, or Bcc field. If a chain of forwarding mailboxes is configured, where each mailbox forwards messages to the next one, the first forwarding mailbox is displayed in this field and the SMTP address of the final, non-forwarding mailbox in the chain is displayed in the To, Cc, or Bcc field. |
The Journaling agent generates a journal report if a journaling recipient (the recipient specified in a journal rule) is detected in one of the following scenarios:
- The journaling recipient is the sender or a recipient specified
in the To, Cc, or Bcc fields.
- The journaling recipient is a member of a distribution group
that's specified in the To, Cc, or Bcc fields.
- A message is automatically forwarded to a journaling
recipient.
In the following cases, information about some recipients who aren't journaling recipients may not be included in the journal report.
- Message chipping occurs When a Hub
Transport server handles a message that's sent to more than 1,000
recipients, either through distribution group expansion or if more
than 1,000 recipients are specified in the To, Cc or Bcc fields,
the server generates a separate or copy of the message for every
1,000 recipients. This is performed to reduce system resources used
during message expansion. By default, each copy contains a maximum
of 1,000 recipients. This is known as message chipping. Each
instance of the message is known as a chipped message.
The Journaling agent processes each chipped message to determine if there are any journaling recipients included in the recipient list. For example, if a message is sent to a distribution group that contains 5,000 members, the Hub Transport server generates five chipped messages, each containing 1,000 recipients. The Journaling agent generates a single journal report for each chipped message that contains a journaling recipient. The journal report contains details of only the 1,000 recipients included in the recipient list of the chipped message. If the distribution group membership contains only one journaling recipient, the Journaling agent generates a single journal report. That report lists only the 1,000 members that were expanded as a result of message chipping.
- Distribution group expansion servers are
specified When a Hub Transport server receives
a message sent to an individual recipient or a distribution group
marked for journaling, and a distribution group which has another
Hub Transport server specified as the expansion server, the journal
report lists the distribution groups as To, Cc, or Bcc recipients,
but the Expanded field doesn't include members of the distribution
group that wasn't expanded on that server.
For example, consider a message sent to two distribution groups (DL-Journaled, DL-NotJournaled) and a mailbox user (UserA). The DL-Journaled distribution contains journal recipients. The DL-NotJournaled distribution group has the Hub Transport server HT2 specified as an expansion server. In this example, the following steps are taken:
- The message is first processed by Hub Transport server HT1. HT1
expands DL-Journaled and detects journaling recipients. HT1
generates a journal report that contains the following noteworthy
fields:
To/Cc/Bcc This field includes DL-Journaled, DL-NotJournaled, and UserA.
Expanded This field includes members of DL-Journaled. If DL-Journaled contains more than 1,000 members, message chipping may occur, which would generate more than one chipped message. It may also include membership of any other distribution groups expanded on HT1 for this particular chipped message (for example, a distribution group that's a member of DL-Journaled).
- HT1 delivers the journal report to the journaling mailbox.
- HT1 marks the message as journaled by inserting the x-header
X-MS-Exchange-Organization-Processed-By-Journaling
.
- HT1 bifurcates the message and sends it to HT2, the expansion
server specified for DL-NotJournaled.
- HT1 delivers the message to the next hop for the recipients
expanded from DL-Journaled (which could include further
bifurcation) and UserA.
- HT2 receives the message. It inspects the message headers and
determines that the message has been journaled.
- HT2 expands the DL-NotJournaled distribution group. None of the
expanded recipients are journaling recipients. Therefore, no
additional journal reports are generated.
- HT2 delivers the message to the next hop for the recipients
expanded from DL-NotJournaled (which could include further
bifurcation).
- The message is first processed by Hub Transport server HT1. HT1
expands DL-Journaled and detects journaling recipients. HT1
generates a journal report that contains the following noteworthy
fields:
Journal Report Headers
In Exchange 2003, the journaling of messages and the
identification of journal reports are controlled by using the
X-EXCH50
binary large object (BLOB). In Exchange 2010,
the X-EXCH50
BLOB is deprecated and replaced with SMTP
headers. The organization SMTP headers can be accessed only by the
Exchange 2010 transport components, and they're removed by the
header firewall before a message is delivered to a mailbox or to an
SMTP server outside the Exchange 2010 organization.
The following headers are used by the journaling agent:
-
X-MS-Exchange-Organization-Journal-Report
This SMTP header identifies an Exchange 2010 journal report. This allows the message to act as a system message, allowing it to bypass message size and mailbox recipient restrictions. The header is removed when the journal report is delivered to a journal mailbox.
X-MS-Journal-Report
This SMTP header is added to a journal report when it's delivered to a journal mailbox, to indicate the message is a journal report. This header lets you differentiate a journal report from a regular message, but it isn't used by any Exchange 2010 transport components.
-
X-MS-Exchange-Organization-Processed-By-Journaling
This SMTP header identifies messages that have been processed by the Exchange 2010 Journaling agent. If the header is included in a message, Exchange 2010 recognizes that the message has already been processed by the Journaling agent on a previous Hub Transport server, and it doesn't journal the message again. This header is removed before the message is delivered to recipients.
These SMTP headers don't contain values. As previously described, the existence of these headers in a message determines whether the message is a journal report or has been processed by the Journaling agent.
For more information, see the following topics:
Examples of Journal Reports
The first figure in this section shows an example of a journal report that was generated when a message was sent from an Exchange 2010 mailbox to a Hub Transport server. The message was sent by mailbox user Jennifer Kim to the following recipients:
- To: SalesGroup distribution group, Anna Lidman
- Cc: Christine Hughes
Note: Christine's mailbox is configured to automatically forward messages to the mailbox for Katie Jordan, and also keep a copy. - Bcc: Blaine Dockter
A single journal report was created when the original message was sent. The journal report shown in the following figure lists all the recipients addressed in the To field, including recipients expanded from the SalesGroup distribution group, the Cc field, including recipients to whom the message was forwarded automatically, and the Bcc field recipient.
The following figure shows an example of a journal report that was generated when a message that originated from the Internet was processed by a Hub Transport server. The recipients addressed in this example are the same as the recipients in the previous example. However, in the journal report in this figure, all recipients are included in the Recipient field because the original message was sent from the Internet, and Exchange can't verify that the recipient addressing hasn't been tampered with. As with the first example, a single journal report is created.